Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up: 

A new pro-privacy manifesto from Facebook hasn’t gone down as smoothly as CEO Mark Zuckerberg might have liked. Month after month of privacy scandals will do that to you. Meanwhile state-sponsored hackers have again been busy, targeting the Trump-Kim summit and widely-used virtualisation software provider Citrix. No wonder there are calls again for a Cyber Geneva Convention.

Key articles: 

North Korean hackers go on phishing expedition before Trump-Kim summit

Summary: Pyongyang-linked hackers reportedly targeted Korean speakers with spearphishing emails ahead of the diplomatic summit between US President Donald Trump and North Korea’s Kim Jong Un.

Key risk takeaway: Attackers deploy a variety of techniques across the lifecycle of an attack, but initial access to a network often relies on spearphishing. While secure email gateways can be effective against generic, so-called “commodity” phishing campaigns, blocking more targeted spearphishing emails can be more challenging. As this case shows, attackers use public events and public information to gather the data needed to create highly realistic and contextual emails. Identifying these emails as scams is unquestionably hard, but continuous user education is the key. The deployment of spearphishing in the US/North Korea summit comes as security researchers detailed its likely use in last year’s compromise of 1.3 million patient records from  Singapore’s largest public health organization, SingHealth.

Tags: #spearphishing #securityawareness


A Privacy-Focused Vision for Social Networking

Summary: Facebook CEO Mark Zuckerberg penned a new vision for the social network based around ‘pivoting to privacy’, but the announcement was met with scepticism and cynicism.

Key risk takeaway: Even if the harshest analyses are taken on board – that Zuckerberg’s ode to privacy is primarily intended to ease the way for integration of Facebook, Whatsapp and Instagram – this story speaks to the growing importance of digital trust for technology brands. In a marketplace where other tech giants are having relative success associating their brands with privacy, Facebook is evidently seeking to establish a more proactive narrative in this space. In truth, cultivating digital trust ought to be a priority for executives of any data-centric business. Read more about this in our blog post.

Tags: #trust #privacy #compliance #reputationmanagement


Privacy complaints received by EU watchdog up more than 2x since GDPR

Summary: A report by the Irish Data Protection Commission – the lead data watchdog for a large number of tech giants operating in Europe – shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

Key risk takeaway: Unsurprisingly, statistics emerging from newly introduced data protection regimes in 2018 reveal growing public and regulatory focus on privacy, and the importance of businesses having effective compliance programs in place. The new laws have not only increased levels of oversight and financial penalties, they have also heralded more dialogue and awareness from consumers around their data rights. This is reflected in a 56% increase in complaints to the Irish Data Protection Commission from before and after the introduction of GDPR.

Tags: #trust #privacy #compliance #reputationmanagement


An email marketing company left 809 million records exposed online

Summary: Security researchers discovered an unprotected, publicly accessible database containing 150 gigabytes of marketing data —including 763 million unique email addresses.

Key risk takeaway: Leaks like this remind us of the vast repositories of personal data that have been acquired and – sadly – inadequately protected by data aggregators and data marketing firms (with whom many of us have no knowing or direct relationship). These data troves are used by cyber criminals to craft social engineering campaigns or perform credential stuffing (where they try using usernames and passwords found in the trove on a range of other online accounts). Continued staff education on detecting phishing emails and on having strong and unique passwords are key mitigants to the success of these tactics.

Tags: #securityawareness


Thai lawmakers approve controversial cybersecurity act

Summary: Thailand has passed a cyber security law that seeks to address computer hacking crimes, but activists –  who label the legislation “cyber martial law” – fear it will allow the government sweeping access to people’s personal information.

Key risk takeaway: Thailand follows Vietnam and China in introducing recent new cyber security laws, and in doing so raising concerns among individuals and businesses that operate in those jurisdictions. The intention to enforce national security or national sovereignty objectives via these laws is considered by many as being at odds with an open internet underpinned by human rights such as free speech and privacy. As we’ve observed in previous news roundups, complying with new data protection and cyber security laws and regulations will be a growing challenge for businesses with a global footprint.

Tags: #regulations #legislation #cybersecurity #privacy


Citrix says its network was breached by international criminals

Summary: Virtualization software provider Citrix said its internal network was breached by international criminals who most likely exploited weak passwords to gain initial access.

Key risk takeaway: The widespread impact of software supply chain risk could hardly be illustrated better than by a story like this – Citrix’s products and services are used by more than 400,000 organisations around the world, including 98 percent of Fortune 500 companies. Citrix states there is no indication the security of any of its products have been compromised, but acknowledges the investigation is in its early stages. Businesses that use Citrix products or services should stay tuned for updates from the company (which it has promised to provide) via its website.

Tags: #supplychainrisk #incidentresponse

Click here to see past editions of the elevenM News Roundup