Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
Do you know the “this is fine” meme? It’s a phrase you hear occasionally in cyber circles and has double the meaning for the latest edition of our news roundup, which catalogues a series of record-breaking data breach fines. Not so fine for the recipients. Meanwhile, poor passwords, successful email scams and poorly secured cloud data again provide us with plenty of news material.
Summary: In just a matter of weeks, we’ve seen three record fines or settlement payouts relating to data breaches: Facebook’s record $US5b fine over privacy violations that include the Cambridge Analytica scandal, US credit bureau Equifax’s record US$700m settlement for a 2017 data breach and British Airways’ £183m fine under the General Data Protection Regulation (GDPR) regulation.
Key risk takeaway: Regulators’ expectations regarding privacy have been ramping up for a while, notably through the introduction of schemes like GDPR and the Notifiable Data Breaches (NDB) scheme. With these record fines, the motivation and intent of regulators to enforce those schemes is strikingly clear, particularly as we move deeper into their second year of operation. Australian Privacy Commissioner Angelene Falk has said as much in recent months, outlining her expectation that organisations now “understand the causes of data breaches and how to prevent them”, and signaling her agency’s intent in the second year of the NDB scheme to “[exercise] our enforcement powers where necessary”.
Tags: #privacy #compliance
Summary: A widely-used enterprise software product Citrix was reportedly breached using an unsophisticated technique that involves hitting a system with weak passwords until one works.
Key risk takeaway: Passwords – so important, yet so overlooked. Compromised or stolen passwords (or credentials) are behind most of the cyber incidents that resulted in data breaches reported under the first year of the NDB scheme. In this particular story affecting US software company Citrix, attackers used automated tools to crack weak or common passwords. A key defence against this is training staff on the importance of passwords, and teaching them how to create strong and unique passwords. Multi-factor authentication – where a code is required to access an account in addition to a username and password – should also be set up for any sensitive accounts.
Tags: #passwords #userawareness
Summary: A breach of US financial services provider Capital One exposed the personal information of 100 million customers. The breach occurred after a hacker exploited a misconfigured firewall in its cloud computing infrastructure (hosted with Amazon Web Services).
Key risk takeaway: There’s a lot to take away from this one. Multiple reports paint the hacker (who has been arrested) as highly capable and possibly even benefitting from her knowledge as a former Amazon employee. Regardless, the key lesson from this breach is the importance of prioritizing cloud security. Our previous news roundups reveal a litany of companies suffering breaches due to failing to secure their cloud infrastructure. The questions being asked in the wake of Capital One’s breach, and which any organisation should ask itself when using cloud services, are: How sensitive is the data and is it appropriate to be stored in the cloud? If so, what protections are in place, including monitoring of data downloaded or shared? (Reports indicate no alerts were triggered when the Capital One data was downloaded.) Capital One responded quickly to the breach once notified by an external party, which suggests it had mature response plans and processes in place.
Tags: #cloudsecurity #incidentresponse #detection #monitoring
Summary: Business email compromise scams, in which scammers impersonate corporate executives or suppliers to request money transfers, cost organisations an average of US$301 million every month last year in the US, according to a US government report.
Key risk takeaway: Email-based threats continue to be one of the primary cyber threats affecting businesses. In particular, business email compromise – also known as CEO fraud – has been highly lucrative, becoming a multi-billion dollar revenue stream for attackers in a matter of years. These email requests are often not blocked by security technologies (because they often don’t contain malicious links or attachments). Educating staff to detect and report these emails is critical.
Summary: A letter sent to 50,000 patients prescribed lithium inviting them to take part in a bipolar study has raised questions about what sensitive health information Medicare stores and how it uses it.
Key risk takeaway: This story shines a light on growing consumer expectations and awareness of how their information is used by organisations once it is collected. While it appears in this case that the Department of Human Services (which administers Medicare) did not disclose any identifying information to third parties, the angry response of patients reflects the care with which personal information must be handled, particularly sensitive categories of personal information such as health information. Accepted best practice is that information only be used for the purpose it was collected (or a related purpose expected by the patient). Last month, National Australia Bank issued an apology after it uploaded personal information of 13,000 customers without their authorisation to the servers of two third-party data services providers.
Tags: #privacy #consent
Click here to see past editions of the elevenM News Roundup