Weekly Cyber Risk Roundup: Largest Breach Ever and Law Firm Lawsuits

On Wednesday, Yahoo announced a data breach that affects more than one billion user accounts. The intrusion, which Yahoo believes occurred in August 2013, comes just months after the company announced a separate breach involving “at least 500 million user accounts.” The new breach was discovered after law enforcement received Yahoo data from a third party. The compromised information includes names, email addresses, telephone numbers, dates of birth, MD5-hashed passwords, and some encrypted or unencrypted security questions and answers.

As The New York Times noted, the breach gives Yahoo the distinction of having the largest ever data breach – on two separate occasions.

It also appears that the intruders were able to use stolen source code to forge cookies, which allowed the malicious actors to gain access to some users’ accounts without needing a password.

Yahoo said those forged cookies have been invalidated, along with any unencrypted security questions and answers. Yahoo did not make clear how many unencrypted security questions and answers were stolen, but users who used those same questions and answers on other sites may face increased risk around those accounts being compromised in the future.

The newly announced breach has also led to more speculation about the potential impact on Yahoo’s pending $4.8 billion deal to be acquired by Verizon. Sources told Reuters that Verizon is looking for “major concessions” from Yahoo, and Verizon reiterated that it would “review the impact of this new development before reaching any final conclusions” about proceeding with the deal.

The incident may also have an affect on the size of Yahoo’s user base. Reuters reported that several cybersecurity experts and bodies such as Germany’s Federal Office for Information Security are now advising Yahoo users to consider abandoning the service for email providers that may be more secure.

Other trending cybercrime events from the week include:

• Russian hacking put front-and-center: U.S. intelligence officials have “a high level of confidence” that Russian President Vladimir Putin was personally involved in the effort to interfere with the presidential election. Officials told ABC News that Russian hackers targeted as many as two email systems associated with the Republican National Committee, but the incidents didn’t raise the same level of concern as similar attacks against the DNC because the systems had long been unused. Germany’s domestic intelligence agency reported that Russia is trying to destabilize German society via targeted cyber-attacks against political parties and disinformation campaigns.  The head of the Swedish Military Intelligence and Security Service said that Russian hacking is a “serious threat” that may “influence democratic decision-making.”

• Insiders cause more cyber headaches: The February 2016 theft at Bangladesh Bank was aided by five low to mid-level employees who were negligent and careless but not directly involved in the crime, according to a Bangladesh government-appointed panel. Hong Kong officials have arrested 29 current and former employees across five financial institutions for alleged bribery and sharing of confidential customer information. A two-year investigation found that lax privacy procedures at the Ohio Department of Rehabilitation and Correction contributed to a $422,000 scheme that used prisoners’ identities to apply for federal student loans. An employee of Banner Boswell Hospital in Arizona has been arrested for allegedly stealing patients’ credit card information and using that information to buy items online.

• More DDoS attacks amid arrests: A series of DDoS attacks aimed at disrupting updates about the pro-Russian separatist conflict brought down the websites for Ukraine’s Finance Ministry and State Treasury. Nearly three dozen users of “booter” services were arrested in a global effort dubbed “Operation Tarpit,” a law enforcement campaign aimed at weakening demand for cybercrime-for-hire services and raising awareness of the risks of engaging in cybercrime.

• Other breach announcements: A backup server belonging to Joan Jett’s Blackheart Records had no password and left open port 873, which is typically used for the file synchronization protocol rsync, potentially exposing more than 200 gigabytes of data. A hacker going by the name Kapustkiy claims to have hacked the website for the Consular Department of the Embassy of the Russian Federation in the Netherlands and stole thousands of passport numbers and personal details. The hacking group known as “Legion” claims to have several terabytes worth of data stolen from more than 40,000 Indian servers. KFC is urging 1.2 million members of the Colonel Club loyalty program to change their passwords due to a small number of accounts being compromised. An unauthorized third party accessed Quest Diagnostics’ MyQuest by Care360 app and obtained the Protected Health Information of approximately 34,000 individuals. An unnamed doctor’s office in Hamilton, Ontario, experienced a breach involving electronic patient records. The data of 1000 students who attended Frederick County Public Schools between November 2005 and November 2006 was found online by a former student.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The past week saw several legal developments involving both past breaches and possible future lawsuits.

Ruby Corp, the operator of AshleyMadison, has agreed to pay $1.6 million to settle state and Federal Trade Commission charges related to its massive July 2015 data breach. The total fine was $17.5 million, but the remaining portion was suspended based on Ruby Corp.’s inability to pay.

“I recognize that it was a far lower number frankly than I would have liked,” FTC Chairwoman Edith Ramirez said on a conference call with reporters. “We want them to feel the pain. We don’t want them to profit from unlawful conduct. At the same time, we are not going to seek to put a company out of business.”

The settlement also requires the implementation of a comprehensive data-security program, including third-party assessments.

Another interesting story of note is a lawsuit that was recently filed against the Chicago-based law firm Johnson & Bell that alleges the firm failed to protect confidential customer information. According to the lawyer that filed the case, it is the first class action lawsuit against a law firm over inadequate data security measures. The same lawyer previously said he had identified a total of 15 firms lacking basic security measures that may be targeted by lawsuits, although the others have not yet been publicly named.

The Johnson & Bell lawsuit was filed back in April 2016; however, it only recently became public and moved to arbitration. Although the complaint does not claim that any data was actually stolen, it alleges that the firm put clients at risk due to using an out of date time-entry system, a VPN that was prone to man-in-the-middle attacks, and an email system that was vulnerable to the DROWN attack.

As SurfWatch Labs noted in our whitepaper, Flipping the Script: Law Firms Hunted by Cybercriminals, law firms are attractive targets for malicious actors as they often have weaker security than the clients they represent. Breaches may also be especially damaging for law offices as confidentiality is at the core of the legal process and law firms often have access to valuable data.