At a glance.
- CRA and Blackbaud each face class action suits.
- An apparent election data breach false alarm.
- Data breach at the American Payroll Association.
Class action suits in the CRA breach and the Blackbaud ransomware incident.
Insurance Business confirms that the Canada Revenue Agency is facing a class action lawsuit over the data breach it sustained between March and the attack's discover in mid-August. The plaintiffs allege that CRA's inattention permitted the total number of affected individuals to rise to at least 14,500. The language in the suit is passionate: “The actions of the [CRA] are reprehensible,” the claim stated. “and showed a callous disregard for the rights of [victims],” and the agency's conduct amounted to “a deliberate ... departure from ordinary standards of decent behaviour, and as such merits punishment.”
BankInfo Security discusses the proposed class action suit Blackbaud, the not-for-profit customer-relations management service, sustained over its own ransomware incident. The suit takes particular notice of Blackbaud's decision to pay the attackers ransom, and the company's reassurance that their payment served to protect the exposed data. "Defendant cannot reasonably rely on the word of data thieves or 'certificate of destruction' issued by those same thieves, that the copied subset of any Private Information was destroyed," the suit read in part.
The difference between a breach and a matter of public record.
This morning the Russian-language newspaper Kommersant set off a Twitter flurry with a report that voter “data” had leaked into the Russian underground. Dark web souks were discussing the availability of information touching some 7.6 million Michigan voters as well as "millions" of voters in other states, Connecticut, Arkansas, Florida and North Carolina among them. The data were said to include name, date of birth, gender, date of registration, address, postal code, e-mail, voter identification number and polling station number.
But, as Dmitri Alperovich, co-founder of CrowdStrike and current chair of the Silverado Policy Accelerator, tweeted in an update, there’s probably a lot less here than meets the eye. In many states all of that information is considered a matter of public record, and can be supplied in response to ordinary information requests. He also notes a lack of other sensitive information, like Social Security Numbers, in the data under discussion.
One aspect of Kommersant’s story is interesting. The newspaper said that the dark web hoods with the data on their hands were mulling ways of monetizing the information they held. One suggestion they liked was the idea of turning the data over to the US State Department in exchange for a payout under the Rewards for Justice Program. It probably wouldn't work, but give them high marks for creativity.
American Payroll Association discloses data breach.
The American Payroll Association has disclosed that it discovered a data breach "on or about July 31." Attackers exploited a vulnerability in the Association's content management system to install a skimmer on its login webpage and in the checkout section of its online store. Credentials and paycard data were taken, as were certain other bits of information, including first and last names, email address, job title and role, "primary job function," the supervisor to whom the individual whom the data describe report, gender, date of birth, business or home address, company name (and size), industry, the payroll and time-and-attendance software used in their workplace, and, in some cases, profile photos and social media usernames. The Association is offering affected persons a year of free credit monitoring and a million dollars in identity theft insurance.
Ameet Naik, security evangelist at PerimeterX, emailed us some comments on the breach:
“Client-side data breaches are a major risk to organizations in the era of stronger data privacy regulations such as CCPA. This attack on the American Payroll Association’s websites affected not only the payment page but also the login page, resulting in theft of usernames and passwords. The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets.
"Digital skimming and Magecart attacks take advantage of Shadow Code in websites introduced via third-party scripts, open source libraries or third-party plugins for content management systems. This Shadow Code, introduced without formal approvals or security validation, can expose websites to client-side attacks leading to data breaches and compliance violations.
"Businesses must take steps to manage the Shadow Code risks by applying timely security patches and upgrading vulnerable open source libraries and third-party plugins. In addition, client-side application security solutions can provide full runtime visibility and control over all scripts and prevent client-side data breaches. Consumers must ensure that they use unique passwords and multi-factor authentication for different websites to minimize the risk of account takeover (ATO) attacks, and must continue to monitor their credit reports for signs of identity fraud.”