regulations – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Payment Card Breaches, Encryption Debate, and Breach Notification Laws

This past week saw the announcement of several new payment card breaches, including a point-of-sale breach at Applebee’s restaurants that affected 167 locations across 15 states.

The malware, which was discovered on February 13, 2018, was “designed to capture payment card information and may have affected a limited number of purchases” made at Applebee’s locations owned by RMH Franchise Holdings, the company said in a statement.

News outlets reported many of the affected locations had their systems infected between early December 2017 and early January 2018. Applebee’s has close to 2,000 locations around the world and 167 of them were affected by the incident.

In addition to Applebees, MenuDrive issued a breach notification to merchants saying that its desktop ordering site was injected with malware designed to capture payment card information. The incident impacted certain transactions from November 5, 2017 to November 28, 2017.

“We have learned that the malware was contained to ONLY the Desktop ordering site of the version that you are using and certain payment gateways,” the company wrote. “Thus, this incident was contained to a part of our system and did NOT impact the Mobile ordering site or any other MenuDrive versions.”

Finally, there is yet another breach notification related to Sabre Hospitality Solutions’ SynXis Central Reservations System — this time affecting Preferred Hotels & Resorts. Sabre said that a unauthorized individual used compromised user credentials to view reservation information, including payment card information, for a subset of hotel reservations that Sabre processed on behalf of the company between June 2016 and November 2017.

Other trending cybercrime events from the week include:

Marijuana businesses targeted: MJ Freeway Business Solutions, which provides business management software to cannabis dispensaries, is notifying customers of unauthorized access to its systems that may have led to personal information being stolen. The Canadian medical marijuana delivery service JJ Meds said that it received an extortion threat demanding $1,000 in bitcoin in order to prevent a leak of customer information.
Healthcare breach notifications: The Kansas Department for Aging and Disability Services said that the personal information of 11,000 people was improperly emailed to local contractors by a now-fired employee. Front Range Dermatology Associates announced a breach related to a now-fired employee providing patient information to a former employee. Investigators said two Florida Hospital employees stole patient records, and local news reported that 9,000 individuals may have been impacted by the theft.
Notable data breaches: Ventiv Technology, which provides workers’ compensation claim management software solutions, is notifying customers of a compromise of employee email accounts that were hosted on Office365 and contained personal information. Catawba County services employees had their personal information compromised due to the payroll and human resources system being infected with malware. Flexible Benefit Service Corporation said that an employee email account was compromised and used to search for wire payment information. A flaw in Nike’s website allowed attackers to read server data and could have been leveraged to gain greater access to the company’s systems. A researcher claimed that airline Emirates is leaking customer data.
Other notable events: Cary E. Williams CPA is notifying employees, shareholders, trustees and partners of a ransomware attack that led to unauthorized access to its systems. The cryptocurrency exchange Binance said that its users were the target of “a large scale phishing and stealing attempt” and those compromised accounts were used to perform abnormal trading activity over a short period of time. The spyware company Retina-X Studios said that it “is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products” after being “the victim of sophisticated and repeated illegal hackings.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

There were several regulatory stories that made headlines this week, including the FBI’s continued push for a stronger partnership with the private sector when it comes to encryption, allegations that Geek Squad techs act as FBI spies, and new data breach notification laws.

In a keynote address at Boston College’s cybersecurity summit, FBI Director Christopher Wray said that there were 7,775 devices that the FBI could not access due to encryption in fiscal 2017, despite having approval from a judge. According to Fry, that meant the FBI could not access more than half of the devices they tried to access during the period.

“Let me be clear: the FBI supports information security measures, including strong encryption,” Fry said. “Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep the American people safe.”

However, Ars Technica noted that a consensus of technical experts has said that what the FBI has asked for is impossible.

In addition, the Electronic Frontier Foundation obtained documents via a Freedom of Information Act lawsuit that revealed the FBI and Best Buy’s Geek Squad have been working together for decades. In some cases Geek Squad techs were paid as much as $1,000 to be informants, which the EFF argued was a violation of Fourth Amendment rights as the computer searches were not authorized by their owners.

Finally, the Alabama senate unanimously passed the Alabama Breach Notification Act, and the bill will now move to the house.

“Alabama is one of two states that doesn’t have a data breach notification law,” said state Senator Arthur Orr, who sponsored Alabama’s bill. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

With both Alabama and South Dakota recently introducing data breach notification legislation, every resident of the U.S. may soon be protected by a state breach notification law.

Weekly Cyber Risk Roundup: More HBO Leaks and UK Talks New Data Protections

HBO was once again the week’s top trending target as the actors behind the company’s breach continued to leak data stolen from the company, including emails that showed HBO attempted to negotiate a $250,000 “bounty payment” in response to the theft.

A source told Reuters that the negotiation email was sent as a stall tactic and that HBO never intended to pay the attackers, who reportedly demanded $6 million in ransom.

“You have the advantage of having surprised us,” HBO’s email read, according to Variety. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

The actors behind the attack claim to have stolen 1.5 terabytes worth of data. In late July, the group leaked several episodes of unaired HBO shows as well as leaked a script for an unaired episode of Game of Thrones. Last Tuesday the group leaked an additional 3.4 GB of data.

As The Guardian reported, that leak included more Game of Thrones scripts, internal HBO documents, and a month’s worth of emails from HBO’s vice president for film programming. Among the documents were technical data detailing HBO’s internal network and administrator passwords, a spreadsheet of legal claims against the TV network, job offer letters to several top executives, slides discussing future technology plans, and a document that appears to list the contact information of Game of Thrones actors.

The group also claimed that HBO was its seventeenth target and that HBO was only the third company to have not paid the ransom demanded by the group. An HBO spokesperson previously said that the company’s ongoing investigation “has not given us a reason to believe that our e-mail system as a whole has been compromised.”

Other trending cybercrime events from the week include:

Actors target Ireland’s grid: Ireland’s EirGrid said that the country’s electric grid was targeted by state-sponsored actors that managed to gain access to a Vodafone network used by the company and then compromised routers used by EirGrid in Wales and Northern Ireland. The breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing Encapsulation (GRE) to tunnel into EirGrid’s Vodafone router, the Independent reported.

Millions of Venezuelans lose cell service: Venezuelan government websites were the target of a massive cyber-attack allegedly carried out by a group known as “The Binary Guardians,” and as a result seven million mobile phone users were left without service, government officials said. The attacks affected the Movilnet’s GSM platform, officials said, leaving seven million of the thirteen million mobile phone users without service.

New data breaches: Parkbytext is notifying its users that their information may have been compromised due to malware during a service outage. The personal information of 100,000 Dutch drivers was leaked due a flaw in the LeaseWise software created by software company CarWise ICT and used by 52 Dutch car leasing companies. UCLA officials said that a Summer Sessions and International Education Office server was potentially breached in a May 18 cyber-attack and that the personal information of 32,000 students may have been compromised.

Agencies warn of phishing scams: A new phishing scam is impersonating tax software providers in an attempt to steal credentials from tax professionals, the IRS warned. Scammers are impersonating officials from the National Institutes of Health and telling consumers that they’ve been selected to receive a $14,000 grant in an attempt to get victims to pay a fee via gift cards or their bank account numbers, the FTC warned.

Arrests and sentences: Two Israeli men were arrested and indicted in Israel on charges believed to be related to operating the DDoS-for-hire service known as vDOS. A former employer of Allen & Hoshall has been sentenced to 18 months in prison for repeatedly accessing the company’s servers over a two-year period in order to obtain proprietary information. An Australian man has been sentenced to an 18-month suspended sentence for his role in operating an illegal network that allowed the selling of unauthorized access to Foxtel service to more than 8,000 people.

Other notable incidents: Pernod Ricard SA, producer of Absolut vodka and Chivas Regal Scotch whisky, was the target of a cyber-attack, and some employees at the company’s London office had to turn in their computers to be inspected for infections, sources told Bloomberg. Four different anonymous Bloomberg chat rooms were shut down after a user from the investment firm Janus Henderson sent an unmasked list of all the previous day’s 866 participants in the metal and mining chat room to people in the chat room.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The UK Department for Digital, Culture, Media & Sport (DCMS) released a statement of intent on a new data protection bill last week.

The goal of future data protection acts is to “ensure that we help to prepare the UK for the future after we have left the EU,” wrote DCMS Minister for Digital Matt Hancock.

“The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Hancock wrote. “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

In short, any changes to UK law will be designed around existing international frameworks such as GDPR, which already includes provisions such as individuals being able to exercise their “right to be forgotten” and request that their personal information be deleted, as well as the potential for much larger penalties for organizations that suffer data breaches. As the BBC reported, the current maximum fine for breaking existing data breach protection laws is £500,000, and that will be increased up to £17 million or 4% of global turnover.

As Daradjeet Jagpal noted, the UK government intends to apply for some exemptions from the GDPR, such as allowing organizations other than police to process personal data on criminal convictions and offences, as well as allowing automated data processing — with the caveat that individuals will have the right to challenge any resulting decisions and request human intervention.

Numerous surveys this year have noted that a significant percentage of organizations remain unprepared for the upcoming implementation of GDPR, which is set to go into effect on May 25, 2018. For example, Veritas reported that only nine percent of UK organizations that believe they are prepared for the GDPR are likely in actual compliance. Organizations should remain aware of any potential changes in data protection laws such as GDPR and work to ensure that they will be in compliance with those changes before they become the law of the land.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

By Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

Other trending cybercrime events from the week include:

Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

Cyber Risk Trends From the Past Week

On Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Weekly Cyber Risk Roundup: Yahoo’s Value Drops and New Regulations

Yahoo is once again back in the news for a variety of reasons, including a reported third data breach. However, it appears the reports of a “new breach” stem from additional notifications that were sent to some users on Wednesday regarding forged cookies being used to access accounts. Yahoo first disclosed that it was notifying affected users that “an unauthorized third party accessed our proprietary code to learn how to forge cookies” in its December 2016 breach announcement.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said regarding the recent account notifications. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

In addition to users potentially growing weary of Yahoo’s months-long series of breach notifications, two senators sent a letter to Yahoo questioning the company’s “willingness to deal with Congress with complete candor” about the recent breaches. Initial inquiries showed that “company officials have been unable to provide answers to many basic questions about the reported breaches” and a planned congressional staff meeting was cancelled at the last minute by Yahoo, wrote Sen. John Thune, chairman of the Senate Commerce Committee, and Sen. Jerry Moran, chairman of the Consumer Protection and Data Security Subcommittee. The letter requests answers to five questions related to Yahoo’s breaches and subsequent response by February 23.

All of that negative press may translate into hundreds of millions of dollars being cut from Yahoo’s pending deal to be acquired by Verizon. Bloomberg reported last Wednesday that the two companies were close reaching a renegotiated deal that would lower the price of the core Yahoo business from $4.8 billion to about $4.55 billion — a $250 million dollar discount. In addition, the remaining aspects of Yahoo, to be renamed Altaba Inc., will likely share any ongoing legal responsibilities related to the breaches, although the deal is not yet final.

Other trending cybercrime events from the week include:

Variety of espionage campaigns: A campaign dubbed “Operation BugDrop” targeted a broad range of Ukrainian targets by remotely controlling computer microphones in order to eavesdrop on sensitive conversations, and at least 70 victims have been confirmed in a range of sectors including critical infrastructure, media, and scientific research. A phishing campaign against journalists, labor rights activists, and human rights defenders used fully-fleshed out social media accounts of a fake UK university graduate to engage with targets for months and make repeated attempts to bait the targets into handing over Gmail credentials. Spyware from the Israeli cyberarms dealer NSO Group has been found on the phones of nutrition policy makers, activists and government employees that are proponents of Mexico’s soda tax, leading to concerns over how the NSO Group is vetting potential government clients and whether a Mexican government agency is behind the espionage.

Actor breached dozens of organizations: A hacker going by the name “Rasputin” has breached more than 60 universities and government agencies by allegedly using a self-developed SQL injection tool. The targets included dozens of universities in the U.S. and the UK, city and state governments, and federal agencies like the Department of Health and Human Services.

Employee data compromised: In addition to a growing list of organizations impacted by W-2 phishing emails, Lexington Medical Center announced a W-2 breach involving unauthorized access to its employee information database known as eConnect/Peoplesoft. The city of Guelph, Ontario, is notifying some employees that their personal information was compromised when a flash drive containing sensitive documents was accidentally given to a former city employee as part of an ongoing wrongful dismissal lawsuit. A data breach at the San Antonio Symphony compromised the data of about 250 employees.

Ukraine accuses Russia of critical infrastructure attacks: Ukrainian officials accused Russia of targeting their critical infrastructure with malware designed to attack specific industrial processes, including modules that sought to harm equipment inside the electric grid. The attacks employed a mechanism dubbed “Telebots” to infect computers that control infrastructure. Researchers believe that Telebots evolved from BlackEnergy, a group that first attacked Ukraine’s energy industry in December 2015.

Other cybercrime announcements: FunPlus, the creators of the popular mobile game Family Farm Seaside, said it was the victim of a data breach, and the actor behind the attack claims to have stolen millions of email addresses as well as 16GB of product source code. Columbia Sportsware announced that it is investigating a cyber-attack on its prAna online clothing store. Hackers have stolen data on approximately 3,600 customers of Danish telecom company 3 and then attempted to blackmail the company for millions of dollars in return for not making the data public. Family Service Rochester, an organization that works with families with child welfare or family violence concerns, is notifying individuals of unauthorized access to their personal information, as well as a ransomware infection. Bingham County computer servers were infected with ransomware. The Russian Healthcare Ministry recently experienced its “largest” DDoS attack in recent years.

Cyber Risk Trends From the Past Week

In addition to Yahoo, the past few weeks have seen several new regulatory announcements and fines related to data breaches.

For starters, New York Governor Andrew Cuomo announced that new regulations will go into effect on March 1, 2017, “to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.” The regulation includes minimum standards organizations must meet, such as:

Controls relating to the governance framework for a robust cybersecurity program, including adequate funding, staffing, oversight, and reporting
Standards for technology systems, including access controls, encryption, and penetration testing
Standards to help address breaches, including an incident response plan, preservation of data, and notice to the Department of Financial Services (DFS) of material events
Accountability by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS

In addition to the New York regulations, the Australian data breach notification law passed through the Senate and will go into effect either by a proclaimed date or a year after receiving Royal Assent. Violating these soon-to-be-implemented rules can be costly for organizations. Over just the past week organizations of various sizes announced breach-related settlements — most of which were compounded by not following required security practices.

Memorial Healthcare Systems will pay $5.5 million for failing “to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.”
Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million over the theft of unencrypted laptops.
Grand Buffet restaurant will pay a $30,000 over the theft of payment card information by an employee and failing to implement corrective actions after being informed about the mishandling of credit cards.

Following the cybersecurity best practices outlined by regulatory bodies can not only help prevent many security incidents from occurring in the first place, but in the event of a breach those organizations are far less likely to face the wrath of government bodies.