Data breaches have both immediate and long-term impact on business performance. Firstly, there is the short-term cost of dealing with a breach, often an immediate loss of custom, followed by a loss of reputation no matter how well the breach is dealt with.

Consumer website Comparitech has studied the stock market performance of 28 companies which have recently been victim to a significant data breach and discovered long-term stock market underperformance as a result. Comparitech, as reported by CPO Magazine, found immediate negative reactions from investors as well as market underperformance for up to three years.

With that in mind, let’s look at some of the last week’s data breaches to help us to learn how to better protect our data and systems from cybercriminals and accidental breaches.

Gamers hit by Magic the Gathering and MTG Arena data breach

Wizards of the Coast, creators of Magic the Gathering, has contacted players to inform them of a data breach that has leaked names, email address, and passwords.

Eurogamer reporting on November 17, reveals an email has been sent to affected players. Wizards of the Coast say an internal database from a decommissioned login version was accidentally “made accessible” online.

So far, it’s not believed that the data has been used maliciously or that any financial information is at risk. Eurogamer also notes that the revealed passwords were encrypted which may protect them from being extorted. Wizards of the Coast adds:

“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data.”

The company is asking players to update their passwords in the next seven days or request that Wizards of the Coast reset a password if necessary.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Fairfax County Police Department, US

A breach at another local police department may have led to the personal information of up to 500 employees of the Fairfax County Police Department, Virginia, US, and its police chief being compromised.

The Washington Post reports that names, dates of birth, and social security numbers, of police and other staff were contained in an email inbox stored on a memory stick that has now vanished.

So far Police Chief Col. Edwin C. Roessler Jr. has said he has not received any reports of the information being exploited but he is concerned for his officers who, The Washington Post says, “go to great lengths to protect their personal information.” Roessler has referred to the incident as “devastating” and says he hopes “it doesn’t create any harm.”

The email inbox belonged to neighbouring Police Chief Cynthia McAlister. A copy was made as part of an internal investigation dating back to October 2017 and may have fallen into the hands of a “felon.” The copy inbox may have contained up to 1,800 personal records in total.

Liver Wellness, Dublin, Ireland

Patients at liver scanning procedure company Liver Wellness in Dublin were informed last month that the company’s email account had been hacked. RTÉ’s This Week reports that the hacker used the company’s email account to contact customers asking them to share personal information.

Liver Wellness says it is treating the breach “very seriously,” and the Data Protection Commission has been notified.

As part of its procedures, Liver Wellness keeps patient medical history on file as well as that of its patient’s families including histories of alcohol use and medical information from GPs. So far, as per reports, there is no information to suggest that this information has been accessed by hackers.

A team from Liver Wellness and Microsoft cybersecurity is working on the issue and patients have been asked to delete any suspicious emails asking for personal information.

ZoneAlarm, 4,500 customers affected

As reported by TechRadar on November 13, ZoneAlarm, part of security company Check Point, has seen a breach to its web forums. Hackers were able to gain unauthorized access to one of its web forums and then obtain the names, addresses, encrypted passwords, and dates of birth, of up to 4,500 customers.

Neither ZoneAlarm of CheckPoint appear to have publicly announced the breach, but emails were sent to affected customers with ZoneAlarm saying:

“The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum. ZoneAlarm is conducting a thorough investigation into the whereabouts of this incident and views this as a serious matter.”

Hackers reportedly exploited a “known critical RCE vulnerability” in vBulletin’s forum software, used by ZoneAlarm, which allowed them to gain access to the website.

TechRadar writes that ZoneAlarm was running an older version of the vBulletin software which contained the vulnerability. The same vulnerability has been used to hack a forum belonging to Comodo where the login information of 245,000 users was breached.

This last ZoneAlarm breach serves as a huge reminder that constant system and software vulnerability checks and the updating all software is absolutely critical in today’s digital age. And, that’s not just internal systems and networks, but also any software used in website or application build, communications, and even software and systems used by third parties. Though the latter is a responsibility of a supplier, a contracting company must endeavour to ensure any of its own strict cybersecurity practices are equally matched by a third-party vendor.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

It may not be surprising that attacks on healthcare organisations have jumped by 60% so far in 2019 considering that many of the breaches and ransomware attacks in the news frequently cite companies and bodies within the sector.

Malwarebytes has just published its latest report, as detailed by Dark Reading, finding that attacks are up nearly two thirds for the first nine months of 2019 compared to the whole of 2018. Hospitals, doctor’s offices, and other healthcare providers are being hit hard by attackers and frequently with Trojan malware. Trojan attacks have risen by 82% just between the second and third quarters of 2019.

Trojan malware is often used for breaching networks and controlling computers and is prevalent in ransomware attacks, of which there have been a number of high-profile hospital breaches. Some of the main culprits are Trickbot and Emotet, former banking industry vectors, now targeted at the medical industry.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Stolen medical data is valuable but public healthcare cybersecurity budgets are low

Earlier this year, we questioned why healthcare sector attacks were on the rise, with the help of Carbon Black study we outlined the value of stolen medical data.

Adam Kujawa, the director of Malwarebytes Labs says:

“You think about some of the attacks we’ve seen, such as what happened with WannaCry and the UK’s National Health Service … and you figure they would have focused more on security.”

The Malwarebytes report may already outline the answer:

“Medical institutions are fighting an uphill security battle, as budget dollars are often diverted to research, patient care, or new technology adoption.”

At least for public healthcare providers cybersecurity is an “afterthought.” The report adds:

“Doctors use legacy hardware and software, staff lack the security know-how to implement updates and patches in a timely manner, and many medical devices lack security software altogether.”

The healthcare sector, as per Malwarebytes, is actually the seventh most targeted group with education providers at the top of attacker’s lists. Perhaps too because of the low budgets, experience, and sometimes less than cutting-edge information technology in the public sector.

In the public sector, lobbying for additional cybersecurity budget and focus will take time. There are likely to be more breaches before governments commit to cybersecurity as a very top priority.

For private sector healthcare companies there is no excuse. Any private business should be at the top of its cybersecurity game knowing a simple breach can permanently ruin reputation and lead to complete corporate failure.

In our data breach round-up for last week we covered the breach at US healthcare group Starling Physicians that may have been caused by a phishing attack. And DNA testing startup Veritas Genetics revealed some of its customer information may have been illegally accessed via a customer portal affecting a small number of customers.

Your employees play a key role in helping to use technology safely, so why not help upskill them on the risks posed when using mobile devices? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

5G implementation across the globe creates new opportunities and efficiencies for many businesses, however its use will also create increased cybersecurity risk. If you are planning to use 5G, as a business you must be prepared.

AT&T Cybersecurity, as per TechRepublic reporting, has just published a new cybersecurity insights report titled “Security at the Speed of 5G” which focuses on readiness for and the risks of 5G technologies.

Threats from an increased number of connections and devices

5G will mean a “larger attack surface” and more connected devices that can be compromised. 5G speeds will be an essential improvement for widescale internet of things (IoT) use, but this kind of technological progression needs to be matched with evolving cybersecurity strategies.

The report, and a survey of 704 cybersecurity professionals in larger organisations, found that 72.5% of those asked have high or medium-high levels of concern over 5G’s affect on cybersecurity. Only 22% believe their current cybersecurity policies are ready for 5G. And, 76% do expect new threats from the development and use of 5G. Most of the survey’s respondents said they expected to make 5G-related changes to their cybersecurity strategies and 78% acknowledge their policies need to be changed in-line with a move to 5G.

Considering that 5G is already being rolled out, including in the UK and the US, these figures are startling for larger organisations most of whom do not appear to be ready for 5G-related cybersecurity risks. AT&T, in the report’s key findings, says:

“Enterprises need to do more to prepare for 5G. Advancement in the 5G network will touch on many technology areas and eventually enable enterprises to use less expensive and more efficient solutions.”

A rise in the number of connected devices means that:

“Identity and authentication will be key to 5G security. In addition, enterprises should be considering how they can shore up their vulnerability management programs (both patching and mitigation) for devices at the edge which may carry vulnerabilities that go unnoticed and unpatched.”

Survey respondents put a larger attack surface due to an increase in connectivity as their main concern, followed by more networked devices and then the need to extend security practices to cover IoT devices. Lastly in 5G concerns came authenticating a wider variety of devices, and the insufficient protection of perimeter defences.

What could 5G readiness entail?

Security virtualizaton could be a key response to 5G cybersecurity needs. This involves a move from hardware-based security functions to cybersecurity software that can be used in both hardware and in cloud-computing networks. AT&T says:

“Security virtualisation could be the most crucial advancement related to 5G security, for both the provider and their enterprise customers. Enterprise IT is becoming more distributed, and through virtualisation networking is following suit. Security needs to follow that trend.”

Endpoint security is also critical for 5G powered networks. Businesses will need to deploy tighter network access controls and potentially new systems for device authentication.

Less than third of the survey’s respondents had vulnerability assessment and remediation practices in place. Another concerning statistic given that software and network vulnerabilities are often culprits in attacks and breaches.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

What will the future of 5G cybersecurity look like?

AT&T says the future of 5G network security might include virtualisation and automated security controls and artificial intelligence (AI) and machine learning (ML) powered threat intelligence and detection. A more sophisticated approach to identity verification and authentication of devices and users could involve a zero-trust approach to cybersecurity. This quite literally means not trusting any network traffic and always verifying everything. Lastly 5G cybersecurity may need a “shared security model” approach where enterprises take responsibility for security but so too do network providers and perhaps even in some cases end-users or consumers.

AT&T’s final thoughts from the report reiterate 5G’s promise and the new security risks this opportunity will bring. It says:

“Prudent organisations are taking a proactive stance by anticipating the security requirements that will come with the new technology. Creating a security posture that is ready for the speed and threat surface of 5G means understanding the potential for new threats and putting up the right tools for a solid defence.”

It also says that the report’s associated survey results reveal organisations need to do more to prepare their cybersecurity approach for 5G:

“Key among these preparations are virtualisation, automation, and software-defined networking; enhanced measures for identity and authentication; continuously updated and globally-informed threat intelligence; shifting functions to managed security services; and preparing your security posture now while 5G is still in its early stages of deployment.”

Your employees play a key role in helping to use technology safely, so why not help upskill them on the risks posed when using mobile devices? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Another week, another list of data breaches teaching us that cybersecurity is a number one business priority in our digitally transforming age.

This week professional hacker and head of cybersecurity for Okta, Marc Rogers, told Business Insider there is a “common thread” across high-profile data breaches including this summer’s Capital One breach. Rogers says it’s all about how companies manage the servers where they store sensitive personal information:

“That’s probably the most common vector that I’m seeing across all of these breaches, is that companies don’t seem to know what data assets are out there. And consequently, there [are] a lot of insecure systems hanging on the internet that can be readily accessed.”

The Capital One breach exposed data of 100 million US citizens and six million Canadians. The suspected cybercriminal responsible may have exploited a firewall misconfiguration in Capital One’s cloud network.

Rogers told Business Insider that fixing poor server security could prevent millions of records being compromised:

“If we just got rid of that, I think you’d reduce the number of breaches we’re hearing about by at least half.”

Let’s look at some of this week’s breaches.

University of Hertfordshire, UK

Not a server issue, but an employee’s mistake. The University of Hertfordshire has mistakenly shared the personal details of around 2,000 students by sending an email about a lecture which had an attachment of the 2000 recipient’s names and email addresses. The university, as per the BBC, says:

“The email was not sent to all students and the incident affected a group of students in one of our schools of study.”

It also recalled the email, which may only have worked if it had been left unopened by recipients. And it contacted students immediately as well as confirming:

“We are contacting all affected students with information and advice. We are carrying out an internal investigation and have informed the Information Commissioner’s Office.”

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Starling Physicians, Connecticut, US

Just yesterday a US healthcare group, Starling Physicians, told its patients they may be affected by a data breach that occurred in February. The incident may have been a phishing attack and after an investigation it appears affected email accounts contained patient data including passport numbers, social security numbers, medical information, and health insurance and billing data.

The company has sent letters to affected patients which included advice on protecting themselves against fraud or identity theft. It has also advised patients to monitor their accounts closely.

Veritas Genetics, Massachusetts, US

DNA testing startup Veritas Genetics has revealed a data breach has led to the unauthorized access of some customer information. Other than “recently” it has not confirmed when the breach happened but has said its customer portal was breached affecting a “handful” of customers. The portal, as per TechCrunch, did not contain medical information or test results.

A Veritas Genetics spokesperson has denied data “theft” occurred and the company has not issued a public statement to date.

TechCrunch writes that privacy is an “emerging concern” in genetic testing as law enforcers increasingly serve legal demands against DNA testing companies for information and records to help solve criminal cases.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Orvis.com, Vermont, US

A retailer of fishing equipment and sports goods has accidentally leaked hundreds of internal passwords relating to company firewall protection, routers, administrator accounts, and database servers.

KrebsonSecurity reports that the incident was “inadvertent” and many of the logins and passwords had already expired. Orvis is the oldest mail-order retailer in the US and has nearly 70 stores in the US and 18 in the UK.

Hold Security reportedly revealed that a file containing the usernames and passwords had been posted to Pastebin.com. An Orvis spokesperson, Tucker Kimball, has said the file was only published for a day before Orvis had it removed and that:

“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”

However, Hold Security argues the file was posted to Pastebin on two occasions in October. KrebsOnSecurity writes the incident is the “most extreme” example of a credentials file being publicly published and that:

“By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room.”

The file’s breach may have been due to an outside contractor and is an example of a third-party or supply chain breach. Hold Security founder, Alex Holden, says:

“This is a continuously growing trend of exposures created not by the victims but by those that they consider to be trusted partners.”

KrebsOnSecurity warns:

“Long gone are the days when one could post something for a few hours to a public document hosting service and expect nobody to notice. Today there are a number of third-party services that regularly index and preserve such postings, regardless of how ephemeral those posts may be.”

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Mobile phones are a critical part of our daily business lives, even non-company phones are used for work and company mobiles are certainly, frequently, used.

Infected applications and malware are increasingly targeted at mobile devices and can arrive at a user’s device by the simple downloading of an application. This malware can then infiltrate corporate networks or steal data, and this poses a significant cyber risk for businesses.

Using mobiles for daily tasks or as POS systems is dangerous

Smartphones are used daily in the workplace to open emails, store and access sensitive data, make calls, and are even used as point-of-sale (POS) devices to receive customer payments. Tablets are used in the same way, as we work towards digital transformation and the reduction of paperwork in our offices and environment.

SecurityMetrics writes that a mobile device, to be used for taking customer payments, costs less than a POS device. And, that:

“A company can save even more by implementing a BYOD policy.”

The cross-over between personal and business mobile use and the increasing use of mobile phones in the workplace, however, creates additional cybersecurity risk for companies. Smartphones and tablets are less secure than computers as standard. And, the security measures company’s put in place for their desktops and overall networks often aren’t expanded for mobile devices leaving them without firewalls, encryption, or antivirus software.

Mobile malware attacks are increasing

Check Point, as per ZDNet reporting, warned this summer of a 50% increase in mobile malware attacks this year compared to last. These cyber attacks are particularly focused on Android operating systems. Check Point believes one reason may be the increasing use of mobile banking, its director of threat intelligence and research, Maya Horowitz, says:

“The sharp rise in mobile banking malware correlates to the growing use of mobile banking applications.”

It’s worth noting here that from a business perspective, a mobile banking application is often a perfectly reasonable install for employees.

Mobile breaches can lead to data theft, surveillance, and the hijacking of devices

Mobile malware can steal data, conduct surveillance, and even perform malicious advertising. It can also hide undetected on devices for some time.

One common form of malware, accounting for 30% of attacks, called Triada, can allow attackers to take control of a device. It has also been discovered pre-installed on over 20,000 cheap smartphones, according to ZDNet. Horowitz advises:

“Users need to protect their devices with a holistic solution that blocks malware and network attacks, and prevents data leakage and credentials theft, without affecting the user experience.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Antivirus applications might not be as safe as we think

Perhaps even more concerning, a Forbes report in August revealed that antivirus applications for mobile devices that had seen 28 million downloads themselves opened the door for cyberattackers.

Research by Comparitech found that such applications presented attack paths and opportunities for cybercriminals often via security flaws and vulnerabilities. Comparitech tested 21 Android antivirus applications and 47% failed in some way, its researcher Aaron Phillips said:

“We looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”

The largest risk to businesses from breached mobile devices is that sensitive, company, or even customer data, could be directly exposed to cyber attackers and used fraudulently or in further attacks.

Application downloads are not the only attack vector for mobiles

Malware and other forms of attack reach mobile devices via application downloads, system vulnerabilities, phishing emails, the use of non-secure or public Wi-Fi connections, and even by text or voicemail phishing attacks.

Cybersecurity strategies must cover mobile devices and policies be put in place for safe mobile and tablet use. Additional antivirus, encryption, software updates, and vulnerability scanning might be needed. Furthermore, mobile device users need security awareness training so they know and understand the associated cyber risks. The use of public Wi-Fi, the downloading of applications, and opening emails safely, should all be key topics.

Google is working to prevent an estimated 30 million “bad” downloads increasing

Infected or malicious mobile applications are a major problem for mobile device security. Though businesses and users need to take their own actions to minimise risk, some responsibility lies with application stores where these “bad” applications can be found.

Google appears to be taking steps to purge malicious Android applications from Google Play Store. In an announcement Wednesday, reported by TechCrunch, Google has revealed it has partnered with three mobile security firms, ESET, Lookout, and Zimperium, “to stop bad apps before they reach users’ devices.”

Applications are screened by Google before they are approved to be listed on Google Play Store but still around 0.04% of all Android application downloads are potentially harmful – this equates to around 30 million potentially malicious application downloads to date.

Though applications are being regularly removed from Google Play Store, the issue is compounded by the fact those already with the application are often not aware of the issue and keep the application on their device.

Google, and its partners, plan to improve the screening of new Android applications to prevent malicious or infected applications reaching its store.

Your employees play a key role in helping to use technology safely, so why not help upskill them on the risks posed when using mobile devices? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

The data protection authority in Germany, the German Datenschutzkonferenz (DSK), has published a new model for calculating fines pertaining to GDPR violation. Under the new framework, fines will be calculated as per Article 83 of the GDPR and will result in higher fines than Germany has so far imposed.

Data Protection Report, which publishes legal insights, covered the new, expected heftier, fine model and says:

“The largely linear calculation method, starting with turnover, leads to serious penalty risks, especially for undertakings and groups with high revenues.”

The DSK’s framework is a five-step model. The first step assigns a company in violation to a classification group based on its total turnover during the prior year. The resulting categories are very small, small and medium sized, or large. There are then sub-groups. The DSK qualifies that as GDPR expects fines on an “undertaking,” the size of an entire organisation will be used for the category qualification instead of the size of a subsidiary at fault.

In step two, Germany’s DSK determines the average annual turnover for the “undertaking.” If this is less than €500,000 a fixed annual turnover fee is allocated. For companies, or groups, with an annual turnover above €500 million Article 83’s maximum percentage fines would be applied to the “actual annual worldwide turnover.” These fines would be either 2% or 4% depending on the type of GDPR violation. Step 3 is a “daily rate” determination, dividing the prior year’s average annual turnover by 360 days.

Step four is an assessment of how serious the infringement is and is based on the GDPR violation and the maximum fine limits. Germany’s authorities will also use their discretion based on the perceived harm to the individuals affected in a breach or violation, but they cannot exceed GDPR’s maximum penalties. Severity is decided on a case by case basis and there are four levels of severity separated into two groups, as per Data Protection Report, these are:

“A technical infringement (formeller Verstoß) of the GDPR, i.e. violation of the requirements listed in Article 83 (4) GDPR, such as missing or incomplete data processing or joint controllership agreement, violation of privacy  by design and default, failure to appoint a data protection officer, etc.”

Or,

“A material infringement (materieller Verstoß) of the GDPR, i.e. violation of the requirements  listed in Article 83 (5) GDPR such as violation of data subject rights, data transfer to countries outside the EEA whose data protection laws have not been deemed adequate, unlawful data processing, etc.”

The classification of the infringement severity then has a multiplier as follows:

If the perceived gravity of the infringement is:

  • minor then the multiplier range for
    • technical infringements is 1 to 2,
    • material infringements is 1 to 4;
  • average then the multiplier range for
    • technical infringements is 2 to 4,
    • material infringements is 4 to 8;
  • severe then the multiplier range for
    • technical infringements is 4 to 6,
    • material infringements is 8 to12; and
  • very severe then the multiplier range for
    • technical infringements is 6<,
    • material infringements is 12<.

What then results, in the DSK’s fine imposition, will be a “regular fine corridor” a multiplication of the daily rate by the multiplier that applies to the severity level decided. A median value results and this becomes the basis for the fines calculation.

DSK’s last step is a classification of the specific infringement and any discretionary adjustments to the fine calculation in step four based on the nature of the offence and the impact on those affected. Data Protection Report says:

“In particular, this includes all circumstances referred to in Article 83 (2) GDPR (e.g. nature, extent and purpose of the unlawful processing, number of data subjects involved in the processing, extent of harm suffered by data subjects, etc.) as well as other circumstances, such as duration of the infringement or any threat of  insolvency for the company.”

The report says that Berlin’s data protectors have been clear on their intentions to impose multimillion-EURO GDPR fines. The DSK has presented its model to the European Data Protection Board’s (EDPB) “Fining Taskforce,” and believes its model is systematic and transparent.

Data Protection Report says the linear calculation based on revenue could be contested, particularly on whether the resulting fines are proportionate:

“While the model may be proportionate in relation to data-driven companies that generate a high profit from their revenues, we have substantial concerns as to whether it would be proportionate for companies generating a low profit ratio relative to their turnover, or where the data processing in question only plays a minor role in the business of the company in question. In addition, the model does not seem to take into account different business models. It remains to be seen whether the final calculation in Step 5 could be a corrective step.”

The publication believes Germany’s new GDPR fine framework could be tested in the courts and challenged, especially by global corporations who are likely to want to escalate fine impositions to the European Court of Justice.

In January 2019, Google was hit with a record fine of $44 million by French data regulators. GDPR also bared its teeth in July when the UK Information Commissioner’s Office (ICO) set fines for British Airways and Marriot Hotels. BA’s fine is potentially £183.4 million and Marriott’s £99 million.

Share this:

Keep reading, remember we’re not trying to scare you! Data breaches are a fact of our digital age, learning how they happen, who to, and how victim companies respond, can help you to improve your cybersecurity efforts.

Let’s look at some of the past week’s data breaches:

West Berkshire Council, UK – 1,107 records affected

In the UK, West Berkshire’s county council sent a leisure survey to 1,107 recipients. All of them could see each other’s email addresses. It’s simple breach, a mistake rather than an attack. The council said in a statement:

“On 25 October, the council was made aware of an incident by which a large number of service users were copied into an email containing a survey about leisure centres.”

It appears to be a case of the email’s author using the CC field in the email, rather than the BCC field so that recipient email addresses were hidden. In a second email to services users and affected residents, the council added:

“We’re really sorry that your email address was shared in this way.”

As per BBC reporting West Berkshire Council has reported the breach, as required, to the Information Commissioner’s Office (ICO).

Desjardins Group, Canada – 4.2 million members

The Desjardins Group breach actually happened in June 2019. The Quebec-based federation of credit unions revealed personal information of three million members was, as per Global News, shared illegally by an employee.

The individual reportedly sent social insurance numbers and other such sensitive information of Desjardins’ members to outside parties. The group has now announced the breach is larger than previously thought and has affected 4.2 million individuals. Desjardins president and CEO, Guy Cormier, says:

“What we are announcing is not a new leak. This is an update on the same breach by the same malicious person.”

The accused employee has reportedly been fired. Quebec’s provincial law enforcers have questioned 17 “people of interest,” met with 91 witnesses, and conducted property searches, according to Global News. As well as action by Quebec’s police force, the breach is being investigated by the Office of the Privacy Commissioner of Canada, and Quebec’s access to information commission.

Desjardins Group provided affected members with Equifax credit monitoring in July and will now extend this provision to all of its members. As of the latest reports, there have been no discoveries of fraud due to the breach. Quebec’s Finance Minister Éric Girard has confirmed he is “satisfied” with how Desjardins Group is handling the data breach.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Web.com users warned to change their passwords

Internet registrar and website creation platform Web.com and a number of its subsidiaries have been affected by an apparent attack. Web.com says a third-party gained access to some of its computer systems and in a statement revealed user account information may have been accessed.

Web.com has said that no credit card information was compromised, and users have been advised to change their passwords. The company has customers situated around the globe but its Register.com is a popular platform in New Zealand. As per Newshub, it revealed:

“Upon discovery of this unauthorised access, the company immediately began working with an independent cybersecurity firm to conduct a comprehensive investigation to determine the scope of the incident, including the specific data impacted.”

Customers based in New Zealand were informed of the breach last Monday and the incident occurred in August.

A SiliconANGLE report suggests the breach may have affected millions of users.

Washington University School of Medicine, St Louis, US

As per Becker’s Hospital Review, some patients of Washington University School of Medicine’s ophthalmology and visual sciences department could have had their information viewed by an unauthorized individual. The breach was discovered after patients received an “unusual letter” and the individual may have gained access to a university employee’s email account through their personal laptop.

Though there is no evidence that patient information has been misused, the exposed data could have included personal information, medical records, and health and social insurance numbers. The university has reportedly said in a statement:

“We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff on best practices for passwords and are making additional security enhancements.”

Cybersecurity education and security awareness training is vital for every employee

This past week’s breaches carry a clear message we can’t help but iterate, education on cyber risk and cyber security awareness can prevent data breaches.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Both the West Berkshire Council and the Washington University School of Medicine breaches appear due to employee mistakes or lack of knowledge, or due attention. With the first, individuals appear to have been CC’d rather than BCC’d. Whilst the latter could have been due to poor password practices. Though both breaches may have happened regardless of any knowledge or training, they might just have been prevented through education and greater security awareness.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Good cybersecurity in business is everyone’s responsibility, according to a recent article published by the World Economic Forum (WEF) and penned by Zurich Insurance Group’s chief information security officer, Paige H. Adams.

Not everyone needs to be an expert, but cyber security awareness training is vital

Cybersecurity leaders, says Adams, are also business leaders “working to protect data without business interruption.” Though “cybersecurity challenges are daunting” and not everyone is a cybersecurity expert, they don’t need to be. The most important factor in a combined fight against cybercrime is:

“Those with the primary responsibility for cybersecurity in an organization communicate risk effectively among their colleagues and across the business.”

Creating a culture of cybersecurity to fight cybercrime

Adams says incorporating cybersecurity into a corporate culture will help to reduce risk and increase resilience against cyber-attacks.  A culture of cybersecurity is the 10th point in a guide to dealing with cybersecurity challenges published by WEF titled “Cybersecurity Guide for Leaders in Today’s Digital World.

Zurich Insurance Group uses a risk-based framework that helps to achieve a cybersecurity culture. Adams says:

“Its Integrated Information Security Baseline (IISB) unites security efforts across the global organization and helps business leaders – business unit CEOs, COOs, CFOs – to better understand and manage critical cyber-risks.”

And, that creating a cybersecurity culture is not about making every employee an expert. But, instead about creating understanding of risk across an organization, making cybersecurity a top-level dialogue, creating security awareness, implementing engaging training and even using gamification, prizes, and fun quizzes, and creating open channel of communication so informed employees can report risks.

Why is security awareness training essential for everyone?

Firstly, Adams points to the well-iterated problems that make it essential for every employee to have knowledge of cyber risk and security awareness training. Adams says:

“Nearly all individuals in an organisation have access to information that is valuable to cybercriminals.”

And, data breaches can be “enabled by unintentionally risk behaviours” such as weak passwords and poor login practices. She adds:

“The bulk of today’s cyberthreats achieve their goal through humans and the targeting of individuals.”

Particularly individuals are targeted by phishing attacks, made more effective by social engineering.

Indeed, as many as 99% of cyberattacks rely on human interaction to work and that’s often an unwitting employee reaction to an attack. Individuals really are the last line of defence against many attacks and its often security awareness they can utilise in their daily activities that can empower this defence.

Making cybersecurity training fun for best effect

Secondly, Adams shares her points for making a cybersecurity culture more robust, starting with creating a framework for managing risk that can be communicated across an organisation. CEO’s should be part of cybersecurity dialogue as if a CEO talks about phishing awareness this will filter across all levels of a business.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

The Zurich Insurance Group CISO suggests:

“Creating a security instruction and awareness function and appointing a senior leader responsible for running security awareness campaigns and overseeing security training.”

Also, that incentive programs could work to reinforce positive cyber security behaviour in the workplace:

“For example, phishing simulation training could be made more enjoyable through gamification and small prizes for those who report the most phishes.”

As well as mandatory annual training:

“You can also find ways to make engaging, bite-sized security training available throughout the year. This can be delivered through fun quizzes, cartoons or security-focused webisodes.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Communication channels are also vital, according to Adams. Both for reporting suspicious activity and for a constant reminder of cybersecurity risk to ensure it is kept “top of mind.”

“Company newsletters, blogs, digital signage and posters are all good venues for promoting anything from a cybersecurity tip of the day or slogan, to an interview with a top company executive on the topic of cyber fraud.”

Adams concludes by saying every person in a company or organization is a “security champion” and has a responsibility to support a company’s cybersecurity team.

As we offer security awareness training and phishing simulation training here at The Defence Works we happen to agree wholeheartedly with Adams and the WEF. We also know that cybersecurity responsibility may end with a CEO, but it is certainly the tenet of every role within a company today. In the same way that retail workers have a responsibility to look out for, prevent and report physical theft, every employee in any technology using business must make sure that digital threats are identified and dealt with to the best of their knowledge.

We know security awareness training needs to be quick, simple, and fun, so we use real-life scenarios and role play, as well as interactive episodes and comedy sketches.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

The implementation of GDPR was a marked move forward both for data privacy and data protection and for Europe in tackling a global problem. GDPR came into play in May 2018 and many companies have achieved compliance whilst others have already been issued massive fines for data privacy violations.

Other countries are taking a lead from the EU’s GDPR

In the US, there is no wide-reaching, all encompassing, federal data protection regulation like GDPR. There are federal laws which are often sector-specific and focus on certain types of data, according to ICLG’s US Data Protection 2019 report.

The US Federal Trade Commission (FTC) can use the Federal Trade Commission Act to issue some enforcement actions to “protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations.”

State legislation in the US is slightly different. State laws very in their breadth from one to another and many states are developing new regulations. Massachusetts has had stronger data protection regulation for some time. California is viewed as a “privacy-forward” state, as per ICLG, and the California Consumer Privacy Act (CCPA) will be implemented as of January 1, 2020. Legislation from New York is currently being considered by legislators.

The EU could begin to dominate the cybersecurity landscape globally

Jody Westby, CEO of consulting form Global Cyber Risk, writing for Forbes this week says the EU may be “about to seize the global lead on cybersecurity.” And, that the EU’s actions over the past six years may have positioned it to become the “global leader.” According to Westby, the EU has established cybersecurity requirements for Operators of Essential Services (OES) companies and digital service providers (DSPs). It has implemented a certification framework for digital products, services and processes. With the implementation of the recent EU Cybersecurity Act the European Network and Information Security Agency (ENISA) expanded its role and became a permanent government agency. Westby writes:

“When the EU decides to pursue a topic, it allocates money to match its intentions.”

The EU Cybersecurity Act channels funds to ENISA’s budget and the organisation is also funded generally by the EU, member states, and grants. Cybersecurity is a “high priority” for the government of the EU, the European Commission.  It has allocated $2 billion from its 2021-2027 budget to “safeguarding the EU’s digital economy.”

This funding will finance “state-of-the-art” cybersecurity equipment and infrastructure. Additional funding is planned from Horizon Europe, the EU’s €100 billion seven-year science and innovation program.

Westby says the EU, as well as being focused on security, hopes to strengthen the European economy and points to the first line of the EU Cybersecurity Act:

“Network and information systems and electronic communications networks and services play a vital role in society and have become the backbone of economic growth.”

The act also suggests the EU should develop closer cooperation with “universities and research entities” which will “contribute to reducing dependence on cybersecurity products and services from outside the Union and to reinforce supply chains inside the Union.”

Supporting Europe’s cybersecurity industry

It’s not just GDPR, the EU Cybersecurity Act, and development of ENISA, that may contribute to Europe’s lead in the fight against cybercrime. In the EU’s State of the Union it announced the creation of a Network of Cybersecurity Competence Centers (Network) to increase the competitiveness of the EU’s cybersecurity industry. This Network is set to be managed by an equally new European Cybersecurity Industrial, Technology, and Research Competence Center. The new center will support and drive cybersecurity development as well as financing and providing technical assistance to infant cybersecurity companies.

In addition to these new initiatives Westby describes the EU’s longer standing commitment to data privacy which began with the Data Protection Act and has now culminated in GDPR. She also notes the vast number of directives, policies, and frameworks to come from EU bodies to support its goals and member states. She writes:

“A legal framework, reliable publications and materials that can guide all stakeholders, and the draw of aligning with 30 countries is a powerful pull for countries trying to adapt their laws and regulations to a digital world.”

And adds that other countries are striving to emulate the EU both to keep up and to be compliant to work with EU countries. Westby suggests the US may have lost its lead on cybersecurity and US businesses may “end up having to follow EU cybersecurity regulations.”

The European Union’s law enforcers, Europol, is also focused on cybersecurity and has recently published its 2019 cybercrime report. As well as using tools to fight cybercrime it recommends a holistic look at cybersecurity. This could include strategy, prevention, education, security awareness and developing stronger natural cyber security skill sets for all technology users. This latter can start in the workplace. Cybersecurity is no longer just the realm of the IT department, it’s the responsibility of every employee from CEO to trainee and it’s also the responsibility of governments and law enforcers.

Share this:

Internet browsers are something most of us, and most employees, use every day. They are so ingrained in our daily activities that we might not instantly consider the cyberthreat they could pose to a business, being such familiar tools.

Of course, cybersecurity personnel must consider browser safety and likely advise against unauthorized plug ins and random browsing. But, these are not the only threats.

Google Chrome, Microsoft Internet Explorer, and Microsoft Edge fail browser audit

Germany’s cybersecurity agency, the German Federal Office for Information Security (BSI- Bundesamt für Sicherheit in der Informationstechnik), recently audited some of the most popular web browsers we use today. It tested Google Chrome, Microsoft Internet Explorer and Microsoft Edge, and Mozilla Firefox. Only Mozilla Firefox passed all its minimum cybersecurity requirements. This according to reporting by ZDNet.

According to TechAdvisor Google Chrome is utilised by 55% of internet users, Microsoft Internet Explorer and Microsoft Edge combined by 8.6% of users, and Mozilla Firefox by 6.5% of users. Browsers like Opera and Brave are also growing in popularity but have far less users than Firefox.

So, Google and Microsoft’s failure to pass could be concerning. The versions assessed were Mozilla Firefox 68, Google Chrome 76, Microsoft Internet Explorer 11 and Microsoft Edge 44. They were benchmarked against the BSI’s guidelines for “modern secure browsers” published this September. These criteria have been updated to account for improved security measures including telemetry handling and improve certificate handling mechanisms and other technical features.

ZDNet lists all the BSI’s criteria here. What’s notable is where Google Chrome, Microsoft Internet Explorer (IE) and Microsoft Edge fall down which includes:

  • Lack of support for a master password mechanism (Chrome, IE, Edge)
  • No built-in update mechanism (IE)
  • No option to block telemetry collection (Chrome, IE, Edge)
  • No SOP (Same Origin Policy) support (IE)
  • No CSP (Content Security Policy) support (IE)
  • No SRI (Subresource Integrity) support (IE)
  • No support for browser profiles, different configurations (IE, Edge)
  • Lack of organizational transparency (Chrome, IE, Edge)

Lack of automatic software updates requires attention by businesses

Probably the most concerning on this list from a business cybersecurity perspective is Microsoft Internet Explorer’s lack of built in updates. Arguably IE could be used by more businesses than consumers as businesses are more likely to be regular users of Microsoft Office. It’s a thought and you’ll know if you are using IE within your company. It’s also an illustration that consistent manual checks that day to day software is running at its very latest version are critical.

Why is using the latest software version important?

Good software developers are constantly adjusting and improving software in response to technological changes, threats, and newly identified vulnerabilities. For this reason, it’s vital that companies consistently check for and utilise updates. Though many platforms will notify users when a new software update is available, and others offer automatic updates businesses should not rely on these factors. Software updates “repair security holes,” fix and remove “bugs,” and remove outdated features, writes Symantec’s Steve Symanovich for Norton who adds:

“While you’re at it, it’s a good idea to make sure your operating system is running the latest version.”

Cybercriminals are known to write code and target malware to software vulnerabilities they identify. Developers have to keep ahead of the curve, and software users need to follow.  This malware can infect a computer through a website, a compromised email, or even playing infected media, and lead to company-wide breaches and data theft.

There is another benefit of regularly updating software too, and that’s new features. Symanovich writes:

“Software updates really are all about you. Your software program may get a new shot of stability — no more crashing. Or an update might boost program performance — more speed. You deserve no less.”

That said, the most important thing for corporate cybersecurity is the patches contained in updates to fix those pesky vulnerabilities so often responsible for successful cyberattacks. And, it’s not just browsers that need to be updated but every type of software that runs on a computer or network including network tools and basic applications.

The SSL Store wrote earlier this year:

“Web applications — everything from calculators and Google docs to webmail platforms and dynamic websites — are vulnerable to a variety of attack methods such as SQL injections, formjacking, and brute force attacks.”

It also quotes an Imperva report which illustrates the growing problem of software vulnerabilities:

“The overall number of vulnerabilities in 2018 (17,308 increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615)… more than half of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.”

TrustWave says the two most popular types of cyber attack on web applications, cross-site scripting (XSS) and SQL injections, are responsible for 40% and 24% of attacks respectively.

We would hope that Microsoft, Google, and Mozilla are on top of their browser vulnerabilities, at least as much as they can be in a world of constantly developing technology and digital threats.

For businesses, keeping on top of software updates and constantly checking system vulnerabilities is essential.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

After a year of litigation, Facebook has agreed to pay a £500,000 fine to the Information Commissioner’s Office (ICO) for its part in the Cambridge Analytica scandal.

As per The Guardian, Facebook has withdrawn its appeal over the £500,000 penalty which is the highest the UK’s data regulator can impose. The Cambridge Analytica data violations occurred in 2015 prior to GDPR, and hence the cap on the fine.

A post-GDPR data privacy violation for Facebook would in principal result in a fine of up to 4% of annual turnover. For an idea of the change in potential penalties for giant corporations GDPR has brought about, Facebook’s annual revenue hit $55.8 billion in 2018.

The UK watchdog first revealed its intent to impose the fine in July 2018, issuing the official penalty in October 2018, three months later.

After Facebook’s appeal the ICO’s tribunal issued an interim decision in June 2019 saying “holding that procedural fairness and allegations of bias on the part of the ICO should be considered as part of the appeal, and that the ICO should be required to disclose materials relating to its decision-making process.”

Facebook continues to deny liability

Despite agreeing to pay the fine Facebook has denied liability over the Cambridge Analytica scandal and this denial forms part of the settlement. Facebook has also kept the documents disclosed by the ICO for its own investigation into the Cambridge Analytica breach. However, the ICO has requested Facebook halt its enquiry.

Facebook is accused of having exposed data relating to 87 million Facebook users to a researcher at Cambridge Analytica. The data and political consulting firm was created after reported discussions between Steve Bannon, who became an advisor to US president Donald Trump, and Rebekah and Robert Mercer.

What happened with Cambridge Analytica?

After its creation, Cambridge Analytica worked on the Trump election campaign. As per a Vox analysis of the Cambridge Analytica scandal, its researcher created a Facebook application that collected data from participants. The application also exploited a loophole in Facebook’s API, that integrates applications with the social media platform, that allowed it to collect the data of the quiz participant’s Facebook friends too. Facebook did prohibit the sale of this kind of data, but Cambridge Analytica is reported to have sold the data regardless.

The scandal, along with numerous others relating to big technology companies and the use of individual data, has led to scrutiny and changes in the way data is collected, protected, and shared. Facebook has had to answer many questions and make numerous changes, and this continues. GDPR is one of a number of data privacy and protection frameworks being considered or developed globally. Today, consumers expect better from the digital platforms they use.

A welcomed agreement

With the recent announcement of Facebook’s compliance with its, arguably somewhat negligible, fine, ICO deputy commissioner, James Dipple-Johnstone says:

“The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our monetary penalty notice and agreement to pay the fine. The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm.”

Dipple-Johnstone points to the political impact of the Cambridge Analytica breach and the importance of data privacy and protection adding:

“Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy. We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”

Facebook’s lawyer, Harry Kinmonth, also responded saying he was pleased to have reached a settlement and that:

“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information.”

Kinmonth adds that Facebook will continue to cooperate with the ICO’s wider investigation into the “use of data analytics for political purposes,” and that:

“The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr [Aleksandr] Kogan.”

Kogan being the researcher implicated in the collection of Facebook user data.

In July this year, the US Federal Trade Commission (FTC) levied a $5 billion penalty to Facebook for improperly sharing user data. If approved by the US justice department the fine will be largest ever from the US government to a technology company.

Share this:

Talking about all the latest data breaches might seem a little like scaremongering. But, it’s not. Each data breach that hits the press may hold an important lesson in how breaches occur, the impact of them, and sometimes how to or how not to deal with a data breach.

A Ponemon Institute study on behalf of IBM found the average amount of time to identify a data breach is 197 days. And, the average time to contain a data breach even after it is identified is 69 days.

Let’s look at some of last week’s data breaches:

The Home Group – affecting 4,000 customers

On October 21, 2019, the BBC reported that Newcastle-based Home Group had experienced a breach affecting 4,000 customers. The breached data included customer names, addresses and contact information, but not says the BBC, financial data.

The Home Group is a UK charity providing rented homes to 116,000 tenants in England and Scotland. The breach itself was identified by a third-party cyber security expert and was apparently resolved with 90 minutes.

The Home Group’s chief financial officer, John Hudson, spoke on the matter saying:

“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.”

The cyber attacker would have needed “expert cyber security knowledge” according the report. And, the Home Group says, it follows strict guidelines and protocols and has contacted all customers involved.

7-Eleven’s Fuel Application

A petrol buying application created by 7-Eleven which has been downloaded two million times was taken offline on Thursday, October 25,2019, for a number of hours.

As per The Guardian reporting a customer found he was able to access the personal information of other customers in his application including being able to see the amount of money in the other customers account. When he logged out, and back in, he could see a different person’s account.

The customer informed 7-Eleven who have only said so far that the matter is under investigation. The company did take the application down for maintenance, returning it to operation later in the day. A spokesperson said:

“The 7-Eleven Fuel App experienced a technical issue. The issue has been resolved, and the 7-Eleven Fuel App is now online for all customers. We are continuing to investigate and have informed the relevant authorities.”

The Guardian notes that under Australian law companies must inform “the office of the Australian information commissioner and affected people when a data breach involving personal information is likely to result in serious harm.” And, the publication reports the commissioner’s office was notified.

Adobe Creative Cloud

This Adobe breach first emerged on October 19 discovered by security researcher and data-breach hunter Bob Diachenko. Comparitech and Gizmodo broke the news which revealed customer records of 7.5 million Adobe Creative Cloud users were discovered online in an exposed database.

There’s no news yet as to whether the records were discovered by any illicit actors, who theoretically could use them to conduct social engineering and spear fishing cyber-attacks on the Adobe Customers. The data exposed reportedly didn’t contain passwords and payment information, but did include information on customer accounts, products used, member ID’s, and subscription and payment statuses. Adobe reportedly responded quickly and secured the exposed database on the same day saying:

“We are reviewing our development processes to help prevent a similar issue occurring in the future.”

Experts have warned that Adobe customers should be on the lookout for suspicious emails purporting to be from Adobe. This would indicate cybercriminals have gotten hold of some of the data and are using it to trick customers into falling for revealing more information or allowing malware infections into their home systems or corporate networks.

The Betty Jean Kerr People’s Health Center – St Louis, US.

Lastly this week for data breaches, a St Louis health centre revealed Friday they had been victim of a ransomware attack where patient addresses and social security numbers were locked by attackers. The cybercriminals demanded a ransom to unlock the data, the center refused and contacted police. To date it’s not known if the patient records, potentially pertaining to up to 152,000 individuals, have been viewed or access by the attackers.

Knowledge is power

When data breaches hit the news we often only hear the headlines, sometimes even about a fraction of a whole breach, over time we get the full story.  Sometimes that story is better for the company involved, other times it is not.

For cybersecurity managers it’s worth watching how these incidents and others like them play out to get important insights for data protection and security. We’ve said it before, but an important part of cybersecurity is security awareness and of course, knowledge is power. Being armed with the knowledge of what cyber risks exist, how they permeate a business, and how to protect against them, is part of the foundation for an effective cybersecurity strategy.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: