At a glance.
- NIST wants to develop a privacy workforce taxonomy.
- European privacy regulators delay imposition of fines on Twitter.
- University of Utah pays up in ransomware attack.
- Cooke County, Texas, sheriff's office breached.
- Royal Canadian Mounted Police investigating Royal Military College of Canada ransomware incident.
- Fertility app shared user data with Chinese marketing firms.
- Former Uber CSO charged in connection with concealing a data breach.
- Comment on the Experian breach.
A privacy workforce taxonomy.
The US National Institute of Technology and Standards (NIST) is seeking to develop a taxonomy for a privacy workforce. The task is not a straightforward one, since many personnel in disparate parts of any given organization have responsibilities that touch on privacy, but without having privacy their sole or even principal responsibility. Thus NIST is interested in defining "a workforce capable of managing privacy risk." The Institute wants a taxonomy that's aligned with the Privacy Framework and that can inform the development of a workforce that can manage privacy risk. A secondary goal of the effort is to help shape consistent position descriptions that could inform education and training. Any parties interested in helping NIST define the problem and see its way forward are invited to attend a virtual workshop on September 22nd through 24th.
EU regulators debate Twitter's penalty for privacy infractions.
SecurityWeek reports that Ireland's Data Privacy Commission had been ready to issue its decision on a fine for Twitter, but delayed its decision until objections other European national privacy authorities raised to the draft decision could be addressed and resolved. The case in question involved a bug in Twitter's Android app (now fixed) that exposed protected tweets. The decision would have imposed the first large fine to be imposed on a major US tech company under GDPR. The European system for enforcing privacy rights guaranteed by GDPR is a mixed one: it's designed as a "one-stop shop" for regulatory action in which companies are assigned to a single national privacy authority, but it also requires circulation of draft decisions with other national commissions. Those other commissions can block the draft decision. The Wall Street Journal says the Irish Commissioners have referred the matter to the European Data Protection Board, which will decide the matter by vote within a month. The case is not only the first case of a US company facing a large fine, but is also the first case in which a national authority has had to buck an action up to the European level.
The University of Utah pays ransom to recover from cyberattack.
After a ransomware attack that hit its College of Social and Behavioral Sciences on July 19th, the University of Utah paid its extortionists, BleepingComputer reports. The University said in its disclosure that the decision to pay was reached in close consultation with its insurance carrier, and that the amount it turned over to the attackers was $457,059.24. ZDNet says the University was able to restore systems and data from backups, but that it decided to pay the ransom to prevent the criminals from releasing the personal data they'd stolen in the course of the attack. "The university's cyber insurance policy paid part of the ransom, and the university covered the remainder," the disclosure said in part. "No tuition, grant, donation, state or taxpayer funds were used to pay the ransom."
Which ransomware gang was behind the attack remains undisclosed, but Emsisoft told ZDNet that the attack looked like the work of NetWalker, which has made a specialty of hitting universities. We heard from Ilia Kolochenko, Founder and CEO of ImmuniWeb, who sees the decision to pay as fundamentally misguided:
“The decision to pay a fairly important ransom will likely bolster sophisticated attacks against US universities that are already surging. When your data is just encrypted, and there is no economically practical way to decrypt it and restore operations but to pay a ransom, yielding to the attackers may be a sound decision as a matter of business.
"Numerous examples from the past, however, convincingly demonstrate that hackers will not necessarily honor their nebulous promises, and release the data even after being fully paid. Worse, given the division of labor and collaboration between different gangs on the global cybercrime market, the gang behind the ransomware attack is usually not the only one with access to the stolen data. Thus, by accepting a payment from the victim, they have no factual means to guarantee that their accomplices won’t suddenly leak the data for fun or for profit.
"The use of cyber insurance to pay the ransom is rather bad than good. It will likely encourage other would-be victims to regard insurance as a panacea, disregarding their cybersecurity and data protection. Moreover, in light of such an alarming trend, cyber insurance companies will inevitably raise their premiums thereby hurting innocent companies and making insurance far too expensive for others.”
It's indeed difficult to see how paying ransom would keep criminals from releasing data. The agreement seems unenforceable. After all, it's not really the sort of contractual transaction one could enforce in civil court, and stolen data can quickly find their way into other hands, so there's a great deal of hope behind the decision. How this high degree of uncertainty and forced, misplaced trust figured into the cost-benefit calculus is unclear.
There's also the problem that paying ransom encourages the growth of a bandit economy. But on balance the insurer's involvement seems a positive sign. Security informed by actuarial insight is likely to be better security. Good building fire codes, for example, came more from the insurance industry than from government action. Government action was the final result, but it followed the underwriters' lead.
Texas sheriff's office breached.
More than two-thousand residents of North Texas have been notified that they may have been affected by a data breach in the Cooke County Sheriff's Office, Government Technology reports. Personal data accumulated in cases over the past several years. The data exposure was incidental to a ransomware attack. The attackers haven't been publicly identified, but the Sheriff's Office has said it's believed the attackers were not based inside the United States.
Mounties have the Royal Military College breach under investigation.
According to the Globe and Mail, the Royal Canadian Mounted Police are investigating the data incident at the Royal Military College of Canada. The RCMP is working in cooperation with Ministry of Defence intelligence personnel. The incident has been confirmed to be a ransomware attack. As is now customary, the ransomware attack also involved data theft, in this case personal data belonging to the cadets.
Fertility app shared user data with Chinese marketing firms.
The Washington Post, citing research by the International Digital Accountability Council (IDAC), reports that Premom, an Illinois-based fertility app owned by Easy Healthcare, was collecting user data and sharing that information with three Chinese advertising companies, Umeng, UMSNS, and Jiguang. Premom told the Post that it had no relationship with either Umeng or UMSNS (although the IDAC said the company had shared with them as recently as June, in a version of its app that was then the most current) and that it was ending its arrangement with Jiguang.
Former Uber executive charged in relation to a 2016 data breach.
In this case, the alleged crime is the alleged coverup. The US Attorney for the Northern District of California has filed a criminal complaint charging Joseph Sullivan with "obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated." When he was Chief Security Officer of Uber, Mr. Sullivan is alleged to have paid hackers "a six-figure payment" in exchange for their silence concerning their undisclosed theft of personally identifying information connected to some fifty-seven-million Uber drivers and passengers. Mr. Sullivan is said to have channeled the payment through a corporate bug bounty program with a view to concealing information about the breach from the Federal Trade Commission.
The payment is reported to have been $100,000 in the form of Bitcoin, the criminal recipients of which were asked to enter into a non-disclosure agreement that included "a false representation that the hackers did not take or store any data." The two hackers were eventually arrested and prosecuted, and they accepted guilty pleas. Mr. Sullivan is also alleged to have kept information about the hack from the new management team that arrived at Uber in 2017. Android Headlines reports that Mr. Sullivan's attorneys say the charges are without merit, and that any decisions about disclosure were reached collaboratively by the company's leadership as a whole. Himself a former Federal prosecutor, Mr. Sullivan is currently Chief Security Officer of Cloudflare. This case is believed to represent the first prosecution of a CSO on charges of concealing a data breach.
Comment on the Experian breach.
On Wednesday, Experian's South African branch disclosed a data breach. The credit bureau has been cooperating with authorities, and says it's confident that the breach was been contained when the suspect was apprehended and his device taken, inspected, and purged of stolen data. Saryu Nayyar, CEO of Gurucul, commented on the vulnerability a credit bureau has as a high-value target:
“Experian is in the headlines again for suffering a major cyberattack. As a consumer credit reporting company, they are clearly a high value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million [South Africans'] PII as well as information from 800,000 businesses. Fraud is malware's ugly cousin. You need different controls to detect and catch social engineering and fraudulent behavior because fraud isn't code. Fraud isn’t a malware application. People commit it.”