Yahoo is once again back in the news for a variety of reasons, including a reported third data breach. However, it appears the reports of a “new breach” stem from additional notifications that were sent to some users on Wednesday regarding forged cookies being used to access accounts. Yahoo first disclosed that it was notifying affected users that “an unauthorized third party accessed our proprietary code to learn how to forge cookies” in its December 2016 breach announcement.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said regarding the recent account notifications. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”
In addition to users potentially growing weary of Yahoo’s months-long series of breach notifications, two senators sent a letter to Yahoo questioning the company’s “willingness to deal with Congress with complete candor” about the recent breaches. Initial inquiries showed that “company officials have been unable to provide answers to many basic questions about the reported breaches” and a planned congressional staff meeting was cancelled at the last minute by Yahoo, wrote Sen. John Thune, chairman of the Senate Commerce Committee, and Sen. Jerry Moran, chairman of the Consumer Protection and Data Security Subcommittee. The letter requests answers to five questions related to Yahoo’s breaches and subsequent response by February 23.
All of that negative press may translate into hundreds of millions of dollars being cut from Yahoo’s pending deal to be acquired by Verizon. Bloomberg reported last Wednesday that the two companies were close reaching a renegotiated deal that would lower the price of the core Yahoo business from $4.8 billion to about $4.55 billion — a $250 million dollar discount. In addition, the remaining aspects of Yahoo, to be renamed Altaba Inc., will likely share any ongoing legal responsibilities related to the breaches, although the deal is not yet final.
Other trending cybercrime events from the week include:
- Variety of espionage campaigns: A campaign dubbed “Operation BugDrop” targeted a broad range of Ukrainian targets by remotely controlling computer microphones in order to eavesdrop on sensitive conversations, and at least 70 victims have been confirmed in a range of sectors including critical infrastructure, media, and scientific research. A phishing campaign against journalists, labor rights activists, and human rights defenders used fully-fleshed out social media accounts of a fake UK university graduate to engage with targets for months and make repeated attempts to bait the targets into handing over Gmail credentials. Spyware from the Israeli cyberarms dealer NSO Group has been found on the phones of nutrition policy makers, activists and government employees that are proponents of Mexico’s soda tax, leading to concerns over how the NSO Group is vetting potential government clients and whether a Mexican government agency is behind the espionage.
- Actor breached dozens of organizations: A hacker going by the name “Rasputin” has breached more than 60 universities and government agencies by allegedly using a self-developed SQL injection tool. The targets included dozens of universities in the U.S. and the UK, city and state governments, and federal agencies like the Department of Health and Human Services.
- Employee data compromised: In addition to a growing list of organizations impacted by W-2 phishing emails, Lexington Medical Center announced a W-2 breach involving unauthorized access to its employee information database known as eConnect/Peoplesoft. The city of Guelph, Ontario, is notifying some employees that their personal information was compromised when a flash drive containing sensitive documents was accidentally given to a former city employee as part of an ongoing wrongful dismissal lawsuit. A data breach at the San Antonio Symphony compromised the data of about 250 employees.
- Ukraine accuses Russia of critical infrastructure attacks: Ukrainian officials accused Russia of targeting their critical infrastructure with malware designed to attack specific industrial processes, including modules that sought to harm equipment inside the electric grid. The attacks employed a mechanism dubbed “Telebots” to infect computers that control infrastructure. Researchers believe that Telebots evolved from BlackEnergy, a group that first attacked Ukraine’s energy industry in December 2015.
- Other cybercrime announcements: FunPlus, the creators of the popular mobile game Family Farm Seaside, said it was the victim of a data breach, and the actor behind the attack claims to have stolen millions of email addresses as well as 16GB of product source code. Columbia Sportsware announced that it is investigating a cyber-attack on its prAna online clothing store. Hackers have stolen data on approximately 3,600 customers of Danish telecom company 3 and then attempted to blackmail the company for millions of dollars in return for not making the data public. Family Service Rochester, an organization that works with families with child welfare or family violence concerns, is notifying individuals of unauthorized access to their personal information, as well as a ransomware infection. Bingham County computer servers were infected with ransomware. The Russian Healthcare Ministry recently experienced its “largest” DDoS attack in recent years.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.
Cyber Risk Trends From the Past Week
In addition to Yahoo, the past few weeks have seen several new regulatory announcements and fines related to data breaches.
For starters, New York Governor Andrew Cuomo announced that new regulations will go into effect on March 1, 2017, “to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.” The regulation includes minimum standards organizations must meet, such as:
- Controls relating to the governance framework for a robust cybersecurity program, including adequate funding, staffing, oversight, and reporting
- Standards for technology systems, including access controls, encryption, and penetration testing
- Standards to help address breaches, including an incident response plan, preservation of data, and notice to the Department of Financial Services (DFS) of material events
- Accountability by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS
In addition to the New York regulations, the Australian data breach notification law passed through the Senate and will go into effect either by a proclaimed date or a year after receiving Royal Assent. Violating these soon-to-be-implemented rules can be costly for organizations. Over just the past week organizations of various sizes announced breach-related settlements — most of which were compounded by not following required security practices.
- Memorial Healthcare Systems will pay $5.5 million for failing “to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.”
- Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million over the theft of unencrypted laptops.
- Grand Buffet restaurant will pay a $30,000 over the theft of payment card information by an employee and failing to implement corrective actions after being informed about the mishandling of credit cards.
Following the cybersecurity best practices outlined by regulatory bodies can not only help prevent many security incidents from occurring in the first place, but in the event of a breach those organizations are far less likely to face the wrath of government bodies.