1 December 2020

News round-up Dec 2020 – Escalation in ransomware tactics, world-first privacy settlement and more

December 1, 2020

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

For what appears to be the first time, a privacy settlement has dictated the need for an organisation to consider gender-based privacy risks. We look at the implications of the settlement in this roundup. Believe or not, there’s been yet another escalation in ransomware extortion tactics, while we look at why the Government’s critical infrastructure security bill is causing tech companies to get hot under the collar.  

Key articles:

Ransomware gang hacks Facebook account to run extortion ads  

Summary: A cybercrime group created Facebook advertisements to promote a ransomware attack on Campari Group in which 2 TB of unencrypted files was stolen and $15m demanded as ransom. 

Key risk takeaway: Businesses increasingly must prepare for highly public ransom demands, as extortion methods in ransomware attacks continue to escalate. The use of advertisements and press releases to publicly threaten the release of victims’ data reflects how ransomware gangs are upping the ante in releasing data and publicly drawing attention to attacks. The threats against Campari Group come as ransomware gangs linked to Iran and targeting Israeli companies launched a ‘leak directory’ on the dark web publishing the data of companies who have refused to pay ransomsIt’s little wonder that head of the US Cybersecurity and Infrastructure Security Agency Chris Krebs (fired by Trump) noted in his outgoing commentary that ransomware…is the most visible, disruptive cyber threat as I see it right now”.  

Tags:  #ransomware #cybersecurity 

Swedish insurer Folksam leaks data of 1 million customers to tech giants 

Summary: Sweden’s largest insurer, Folksam, accidentally leaked data on its one million customers to tech companies Facebook, Google, Microsoft and LinkedIn.  

Key risk takeaway: The Swedish insurer has warned other organisations to check how their websites use 3rd party tracking scripts in conjunction with personal data, arguing these commonly-used scripts led to the data breach. While Folksam believes the information has not been used, it remains to be seen what the regulatory response will be, with Folksam admitting that the data has now been transferred out of the EU. Third-party scripts can also create security vulnerabilities, as evidenced somewhat famously in the breaches suffered by British Airways and Ticketmaster. 

Tags: #databreaches #privacy 

Hotel booking software firm exposed over 10m guest data records 

Summary: Security researchers have discovered the sensitive personal information of over 10 million hotel guests due to a misconfigured AWS S3 bucket belonging to Prestige Software.  

Key risk takeaway: It’s been a whilebut a timely reminder here for organisations to properly secure data stored in the cloudSecurity researchers who discovered the unsecured data have contacted Prestige Security, however, as the dates on the information indicate that it has been unsecured since 2013, it appears likely the data has previously been accessed. The information exposed includes names, addresses, emails, credit card details, CVV numbers, and national ID numbers. Prestige Software is located in the EU and given the sensitivity of the information involved, we can expect to see a strong response from the regulator. 

Tags: #databreaches #privacy 

Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose 

Summary: The tech industry is concerned about the contents of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, particularly about government step-in powers, definitions and a potential misunderstanding of the relationship between cloud service providers and customers. 

Key risk takeaway: Submissions to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 indicate considerable concern among the tech industry about a misunderstanding of key terms and lack of oversight in government intervention powers. The draft intervention powers would allow the Government to install programs, access, add, restore, copy, alter or delete data, alter the “functioning” of hardware or remove it entirely from a location if there is a ‘serious cyber security incident’ that may impact a ‘critical infrastructure asset’. The tech industry argues there is a lack of clarity in what the triggers would be for intervention, what the checks and balances would be, and whether there would be judicial review. Some players have questioned how these laws would work for companies not headquartered in Australia, and who are also subject to other legislation.  

Tags: #cybersecurity #regulation 

NSW pushes its QR code app ahead of digital contact tracing mandate 

Summary: Businesses in NSW have been urged to adopt Service NSW’s in-app Covid Safe check-in tool ahead of the introduction of mandatory digital registration in late November. 

Key risk takeaway: The COVID era continues to highlight potential tensions between privacy and public safety. The NSW Government’s Covid Safe check-in tool looks like it may be able to satisfy both camps, supporting public safety while protecting user privacy. The app automatically captures the date and time of a visit, and securely stores the information on a Service NSW database for 28 days before being deleted. No personal information, such as name, email address or mobile number, is shared with the venue.  The built-in privacy protections of this app might give businesses some relief, after we noted last month that many businesses using third-party options were at risk of breaching their privacy obligationsThe risks in this area were highlighted this month by the news that flaws in the Philippines’ contact-tracing app left data on 30,000 health care providers open for access 

Tags: #privacy #COVID-19 #regulation 

Settlement Agreement With Health App Developer Part of Emerging Trend But Adds Unique Gender-Based Requirement 

Summary: The settlement agreement for security flaws in the Glow fertility app contains requirements to implement privacy- and security-by-designand for the app developer to consider gender-specific concerns.

Key risk takeaway: The edict for organisations to consider gender in assessing potential privacy and security breaches represents a continued focus by regulators on understanding potential harms from breaches of privacyThe settlement states that Glow must “consider how privacy or security lapses may impact online threats affecting women and online risks that women face, or could face, including gender-based risks, from privacy and security lapses.” It comes as Australia’s privacy regulator looks closer at privacy considerations relating to children and other vulnerable populations, while Zoom also reaches a settlement with the FTC over privacy concerns and security misrepresentations. 

Tags: #cybersecurity #regulation #privacy  

Census 2021 cyber security measures only ‘partly appropriate’, audit finds 

Summary: An audit by the Australian National Audit Office has found that the Australian Bureau of Statistics only has ‘partly appropriate’ cyber security measures in place for the 2021 census, and that it hasn’t acted on all of the lessons from the 2016 census.  

Key risk takeaway: The census is a highrisk target, both because of its strong ‘honeypot’ appeal and the high-profile nature of the census event itself. The ABS risks significant reputational damage if it can’t guarantee the security of both the process and the information collected. The ABS has accepted all seven recommendations from the report, but it’s a safe bet that there will be more scrutiny of their cyber security in the lead up to the census.  

Tags: #cybersecurity #government